Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

There are lots of Holy Grails when it comes to compromising endpoints. One of them has long been an attack that leads to kernel ring0 access on a Windows system. That translates into so-called “God Mode” for hackers — and “game over” for victims.

This is why Microsoft has gone to great lengths over the years to harden defenses to protect the kernel with such things as PatchGuard, Driver Signature Enforcement and SecureBoot. However, attackers continue to devise new kernel-mode malware that evades these protections.

At a Black Hat session on Thursday, researchers at Endgame take these kernel attacks one step further. At their session, “Kernel Mode Threats and Practical Defenses,” they demonstrated how to weaponize Turla Driver Loader into a full, fileless kernel-mode attack.

The Turla Driver Loader (TDL), named for its link to the Turla APT group, is a technique used to bypass a Windows mitigation called Driver Signature Enforcement, first introduced in Windows Vista. Those policies ensure only drivers signed with a valid digital signature can be loaded into the kernel. The TDL technique is not entirely unique, but using it in the context of a full, fileless kernel mode attack is, said Joe Desimone, senior malware researcher at Endgame.

The result is a compromised system stripped of endpoint AV and endpoint detection and response (EDR) defenses — which can be used to silently exfiltrate data or infiltrate a network.

Desimone and his colleague Gabriel Landau were able to leverage existing public code to create a post-exploitation kernel-mode fileless attack technique. “We’re able to get full access on the machines in a very stealthy way,” Landau said.

The attack uses the Squiblydoo/Squiblytwo hacker tools, used in tandem with another tool called DotNetToJS, to execute arbitrary .NET code.

Both researchers said they are unaware of researchers or malware in the wild that combine these techniques to produce an attack of this style.

The attack is a post-infection technique that allows an adversary with limited Ring3 (user mode) access to a system to gain God-Mode Ring0 access – all while sidestepping Microsoft’s advanced kernel protection.

“If an attacker is running their malware at kernel mode, the attacker is running at the same privileges as the security stack itself. So it’s really easy for them to just disable whatever security software is running on the box,” the researchers said.

In response to attacks such as TDL, Microsoft has recently implemented Virtualization Based Security (VBS), which sandboxes the kernel. The feature is currently running on a minority of Windows 10 machines and requires updated hardware.

However, even the latest protections from Microsoft can be sidestepped by attackers to tamper kernel code. “Exploring VBS’s design, we show how kernel mode data-only attacks can be used to silently disable antivirus and EDR software even when VBS and Hypervisor Code Integrity (HVCI) is enforced,” the researchers noted.

Furthermore, the researchers developed a potentially more destructive and stealthy attack. “We are showing how a data-only attack can be leveraged to perform Return Oriented Programming (ROP) [attacks], enabling us to execute arbitrary kernel functions with full ring0 privileges,” they said.

They added, “This attack is the most important, because it gives more flexibly to the attacker [than a data-only attack] and also defeats all available defenses today… We do this by using the vulnerable driver as a puppet.”

The researchers also demonstrated one method which can detect these ROP-based kernel attacks. This method leverages the Performance Monitoring Unit (PMU) on Intel processors and can detect and stop the attackers in real time.

Here at Black Hat, Endgame also released two tools designed to protect against kernel mode malware. The first is Marta, which detects subtle kernel tampering such as from the DOUBLEPULSAR implant. The second is Kernel Attack Surface Reduction (KASR), which blocks blacklisted vulnerable drivers from loading on the system. Both tools are available at endgame.com/communitytools.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.